TL;DR: Chainguard FIPS images will use the Chainguard FIPS provider for OpenSSL 3.4.0 (CMVP #5132) beginning March 17, 2026.
| Announcement date | Planned Change date |
| Feb 17, 2026 | Mar 17, 2026 |
We are pleased to announce that all Chainguard FIPS container images will upgrade to the recently certified Chainguard FIPS provider for OpenSSL 3.4.0 (CMVP #5132) beginning March 17, 2026. This upgrade improves the security of Chainguard FIPS images by adding support for FIPS 186-5 Ed25519, making them 2030 ready, as per NIST recommendations. We’re announcing this change now to give customers time to consult with their auditor or sponsor to assess the compliance impact of this change, and to ensure their images continue to work properly after removing legacy and deprecated algorithms.
What is changing?
Chainguard FIPS container images will transition from the Chainguard FIPS provider for OpenSSL 3.1.2 (CMVP #5102) to the Chainguard FIPS provider for OpenSSL 3.4.0 (CMVP #5132) on March 17, 2026.
Why is Chainguard making this change?
Chainguard is committed to ensuring that Chainguard FIPS container images remain aligned with industry standards and evolving regulatory requirements. We regularly seek CMVP certification and update our catalog to the most up-to-date version of FIPS validated cryptography modules tailored for compliance with Chainguard hardened containers. Updating to Chainguard FIPS provider for OpenSSL 3.4.0 will make all Chainguard FIPS images 2030 ready, as per NIST SP 800-131A Revision 3 (Initial Public Draft) recommendations.
Highlights of this module compared to the existing 3.1.2 module (CMVP #5102) are:
- CVE fixes for CVE-2023-6237, CVE-2024-4603, CVE-2024-13176 which are present in the 3.0.8, 3.0.9, and 3.1.2 modules. The fixed advisory for these CVEs will be published March 31, 2026.
- Added support for FIPS 186-5 Ed25519 digital signature algorithm
- Enforcing minimum 8-character password length for PBKDF
- Chainguard Containers and all major OSes and Clouds are listed as Operating Environments (from Raspberry PI to all the public clouds)
- Removed support for legacy FIPS 186-4 DSA digital signature algorithm
- Removed support for deprecated binary curves (K-233, B233, K-283, B-283, K-409, B-409, K-571, B-571) as per FIPS 140-3 I.G. Section C.K. Resolution 3
- Removed support for less than 112-bits of security - RSA 1024 bit keys and P-192 curve, as per NIST SP 800-131A Rev. 2
What do I need to do?
Chainguard FIPS provider for OpenSSL 3.4.0 removes a number of legacy and deprecated algorithms that were present in prior OpenSSL modules. This is unlikely to affect the security and privacy posture of the system. However, this may still result in a breaking change for any workloads depending on these algorithms. If your workload depends on removed algorithms, please pin to a Chainguard FIPS image by digest released before March 17, 2026, and reach out to Chainguard support for assistance. Older images will accrue CVEs, so this is not a permanent solution.
If you’d like to pin an image with an older OpenSSL module, you can use Tag History API, chainctl images history, chainctl images changelog, chainctl images diff to inspect and identify changes within an image tag and select an image released prior to March 17, 2026. We recommend using chainctl images list with a CSV output format to capture all images, tags and digests in your registry prior to March 17, 2026, so you have a record of all image digests prior to the CMVP module change.
Chainguard FIPS provider for OpenSSL 3.4.0 has a different CMVP certificate number than prior OpenSSL modules. Changing CMVP certificate numbers may require additional compliance reviews for some customers. Chainguard recommends consulting with your auditor and sponsor to understand if this upgrade will require any action on your part.
To receive notifications for this and future FIPS module transitions, we recommend clicking “follow” on the "CMVP Certification Upgrades with FIPS 140-3" knowledge base article containing the timeline for all FIPS module transitions.
Need help or have questions?
We're here to help - visit our support portal at support.chainguard.dev.
The latest information on all current and upcoming FIPS validated cryptography modules can always be found in Chainguard’s FIPS commitment page, and the full timeline for all FIPS module transitions can be found in this Knowledge Base article.
- Chainguard Team
Comments
0 comments
Please sign in to leave a comment.